What is Segregation of Duties?

Separation or segregation of duties is a set of policies and controls to reduce risk and meet compliance goals by dividing key processes between multiple workers. SoD controls prevent specific combinations of roles that could facilitate fraud or embezzlement — for example, by preventing a single person from creating and paying a vendor.

Expert Insight: Scott Goolik, VP of Compliance and Security

People are fallible, they make mistakes, use poor judgment, and give into temptation. But when those people have access to ERP, the consequences can be huge. Employees can defraud investors of millions, jeopardize the safety of consumers with undetected errors, and expose employers to civil and criminal liabilities.

Segregation of duties policy divides up transactions, both to make it harder for mistakes to slip through undetected, and to hold workers and leadership accountable.

How is Segregation of Duties Policy Used in Compliance?

SoD is a big part of SOX compliance, 21 CFR Part 11, and other regimes. In SOX compliance, segregation of duties policy is focused on preventing fraud, and ensuring the accuracy and integrity of financial statements. Audit trails must be meticulous, and the CEO and CFO must review and sign off on quarterly and annual reports, and can be held accountable for inaccuracies in those reports.

21 CFR Part 11 compliance also depends on SoD. In medical research, manufacturing, and other industries governed by 21 CFR, lives could depend on keeping necessary records and controls. Segregation of duties policy ensures records are only edited by authorized parties, and properly reviewed and authenticated.

What Are Compensating Controls in Segregation of Duties?

Sometimes a segregation of duties audit reveals an SoD conflict that can’t be eliminated. Instead, the company will put in a compensating control to reduce the risks posed by the conflict. For example, if your company has one person creating and paying vendors, your organization could institute a weekly review of vendor transactions as a compensating control.

Why is SAP GRC Necessary for SoD?

Segregation of duties controls are only reliable if you test and review rules and audit transactions regularly. When everything is in spreadsheets or printed in files, that’s a huge undertaking. Even in the best case scenario, SoD conflicts go undetected for months, and sometimes reviewers will miss them entirely.

This also makes segregation of duties audits a nightmare. It may take multiple rounds to get the auditor everything they want, and with no way to model how a change in SoD rules affects your workflow, remediation can be even harder.

SAP GRC software automates these time-consuming tasks, while centralizing your SoD controls. ControlPanelGRC provides SAP SoD risk analysis to detect potential risks before they happen, and continuous monitoring to detect and remediate SoD conflicts in real time. It generates comprehensive audit reports automatically, and even routes them for approval, eliminating the task of chasing down signatures.

Life’s Too Short to Stress Over SoD

Running a business is tough enough by itself without endless worries over failed audits, costly remediation, and the risk of fraud. Learn how Symmetry’s ControlPanelGRC Automated Controls helped Carlisle Construction Materials find a better way to handle segregation of duties — and how we can do the same for you.

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.